Procedure for Policy Exception Risk Acceptance
Details
| Date | Version | Status | Information Classification | Document Template ID | Document No |
|---|---|---|---|---|---|
| 12-05-2020 | 1.0 | Approved | Internal | AMS DOC |
Revision History
| Date | Version | Description | Author | Reviewed by | Approved by | Approved date |
|---|---|---|---|---|---|---|
| 05-05-2020 | 1.0 | Initial Version | Shaila,Usha | AMF | Suresh Kumar BV | 12-05-2020 |
Acronym Used
| Acronym | Expanded Form |
|---|---|
| AMF | Antares Management Forum |
| CEO | Chief Executive Officer |
| CISO | Chief Information Security Officer |
Purpose
The Procedure for Policy Exception Risk Acceptance provides a method for documenting an exception to compliance with established AMS policies, standards, and practices.
In order to guide ASL in achieving these objectives, ASL has established standards, and procedures, and policies that all users are required to follow. However, ASL also recognizes that there may be urgent business needs that require deviations from these policies, standards, and procedures. To justify such deviations, users may utilize the exceptions process.
Scope
- This process applies to all AMS policies, procedures, standards and practices and to all ASL users.
Procedure
Anyone can initiate an exception request by using the Policy Exception Risk Acceptance template
The Exception Request must include:
Requestor details
Description of exception
Policy Reference
Risk rating
Justification/Business reason for exception
Impact of exception on other business areas (collateral damage)
Duration of Exception
The Requestor initiates the Policy Exception Risk Acceptance request and submits to the Quality team with the Function head approval
Quality team member works with the Requester to
evaluate potential alternatives and propose mitigating controls
assess residual risks
provide recommendations, and
determine the appropriate function approval(s), the user needs to obtain
Once analysis is completed by Quality team member, it will be sent for CISO approval with recommendations.
CEO's approval is required in exceptional cases and for exceptions with financial implications.
Once the review of the exception has been completed and the exception approved, it will be signed off to the implementation team.
Implementation team will document/implement the mitigating controls.
The exception will be granted maximum for a period one year and minimum duration is one day.
At the end of the set duration, the exception will be reviewed and either terminated or intimate the requestor to raise a new request for renewal
All the exceptions will be collated by Quality team annauly and trend analysis will be done. Recommendations will be presented to AMF meeting. Some of the exceptions will be added to policy/procedures based on the recommendations.
Note: Exceptions will not be granted when feasible alternatives exist or risks outweigh projected benefits
Implementation Artifacts
| Srl. | Template ID | Artifact Name |
| F-PERA | Policy Exception Risk Acceptance |